ALL POSTS

Key Findings: Attackers are exploiting vulnerabilities or weak credentials in FortiGate Next-Generation Firewall (NGFW) devices to gain initial access to corporate networks. Once inside, the attackers extract configuration files containing service account credentials and information about the internal network structure. The campaign appears to target sectors such as healthcare, government agencies, and managed service providers. Attackers have abused features like Single Sign

Key Findings: A Russian-speaking threat actor compromised over 600 FortiGate firewalls across 55 countries in just 5 weeks The attacker systematically used generative AI and large language models (LLMs) to write tools and plan follow-on actions inside victim networks The campaign did not rely on zero-day vulnerabilities, instead targeting publicly accessible admin panels and VPN portals protected by weak credentials Stolen FortiGate configurations provided detailed informatio

Key Findings A Russian-speaking, financially motivated threat actor has compromised over 600 FortiGate devices located in 55 countries between January 11 and February 18, 2026. The threat actor leveraged multiple commercial generative AI tools to automate various stages of the attack cycle, including tool development, attack planning, and command generation. No exploitation of FortiGate vulnerabilities was observed - the campaign succeeded by exploiting exposed management por

Key Findings Arctic Wolf observed a new cluster of automated malicious activity targeting Fortinet FortiGate firewalls since January 15, 2026. The attacks involve the creation of generic user accounts for persistence, configuration changes granting VPN access to those accounts, and exfiltration of firewall configurations. This activity shares similarities with a December 2025 campaign that exploited critical Fortinet authentication bypass vulnerabilities (CVE-2025-59718 and C